SYSTEMS AND METHODS FOR POLICY UNDO IN OPERATIONAL TECHNOLOGY DEVICES

Abstract

An OT device includes a memory and a processor. The memory stores a first policy, a second policy, and program instructions. The first policy includes a first set of settings associated with the operation of the OT device. The second policy includes a second set of settings associated with the operation of the OT device. The program instructions, when executed by the processor, cause the processor to receive first data associated with a first event, identify a first action in response to the first event based on the first policy, perform the identified first action, receive a command to enforce the second policy and stop enforcing the first policy, receive second data associated with a second event, identify a second action in response to the second event based on the second policy, and perform the identified second action.

Description

BACKGROUND

The present disclosure generally relates to tools for managing security policies for enterprises that operate operational technology (OT) networks.

Industrial automation systems may be used to provide automated control of one or more actuators in an industrial setting. OT networks may be used to communicatively couple industrial automation systems and/or industrial automation components within an industrial automation system. Policies may dictate access to and operation of OT assets within the OT network. When new policies are implemented, they may have unintended and/or unanticipated side effects within the OT network that may lead to downtime or outages. Accordingly, techniques for implementing new policies that reduce or eliminate down time or outages are desired.

This section is intended to introduce the reader to aspects of art that may be related to various aspects of the present disclosure, which are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present disclosure. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.

BRIEF DESCRIPTION

A summary of certain embodiments disclosed herein is set forth below. It should be understood that these aspects are presented merely to provide the reader with a brief summary of these certain embodiments and that these aspects are not intended to limit the scope of this disclosure. Indeed, this disclosure may encompass a variety of aspects that may not be set forth below.

In an embodiment, an OT device includes a memory and a processor. The memory stores a first policy, a second policy, and program instructions. The first policy includes a first set of settings associated with the operation of the OT device. The second policy includes a second set of settings associated with the operation of the OT device. The program instructions, when executed by the processor, cause the processor to receive first data associated with a first event, identify a first action in response to the first event based on the first policy, perform the identified first action, receive a command to enforce the second policy and stop enforcing the first policy, receive second data associated with a second event, identify a second action in response to the second event based on the second policy, and perform the identified second action.

In another embodiment, an OT device includes a user interface element, a memory, and a processor. The user interface element, when actuated, generates a command to enforce a second policy and stop enforcing a first policy. The memory stores a first policy, a second policy, and program instructions. The first policy includes a first set of settings associated with the operation of the OT device. The second policy, includes a second set of settings associated with the operation of the OT device. The program instructions, when executed by the processor, cause the processor to receive first data associated with a first event, identify a first action in response to the first event based on the first policy, perform the identified first action, receive, via the user interface element, the command to enforce the second policy and stop enforcing the first policy, receive second data associated with a second event, identify a second action in response to the second event based on the second policy, and perform the identified second action.

In a further embodiment, a method includes enforcing a first policy including a first set of settings associated with operation of an OT device, receiving a command to stop enforcing the first policy and to enforce a second policy including a second set of settings associated with the operation of the OT device, retrieving the second policy from memory, and enforcing the second policy.

Various refinements of the features noted above may exist in relation to various aspects of the present disclosure. Further features may also be incorporated in these various aspects as well. These refinements and additional features may exist individually or in any combination. For instance, various features discussed below in relation to one or more of the illustrated embodiments may be incorporated into any of the above-described aspects of the present disclosure alone or in any combination. The brief summary presented above is intended only to familiarize the reader with certain aspects and contexts of embodiments of the present disclosure without limitation to the claimed subject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features, aspects, and advantages of the present embodiments will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:

FIG. 1 is a schematic view of an industrial automation system, in accordance with embodiments presented herein;

FIG. 2 is a block diagram of example components that could be used in the industrial automation system of FIG. 1, in accordance with embodiments presented herein;

FIG. 3 is a perspective view of an example of the industrial automation system of FIG. 1 controlled by an industrial control system, in accordance with an embodiment;

FIG. 4 is a block diagram of an example operational technology (OT) network, including the industrial control system of FIG. 3, that coordinates with a container orchestration system, in accordance with an embodiment;

FIG. 5 is a schematic illustrating an architecture for managing policies within an enterprise, in accordance with embodiments presented herein;

FIG. 6 is a schematic of an OT system having one or more OT devices with a policy undo capability; and

FIG. 7 is a flow chart of a process for policy undo in OT systems.

DETAILED DESCRIPTION

One or more specific embodiments will be described below. In an effort to provide a concise description of these embodiments, not all features of an actual implementation are described in the specification. It should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and enterprise-related constraints, which may vary from one implementation to another. Moreover, it should be appreciated that such a development effort might be complex and time consuming, but would nevertheless be a routine undertaking of design, fabrication, and manufacture for those of ordinary skill having the benefit of this disclosure.

When introducing elements of various embodiments of the present disclosure, the articles “a,” “an,” “the,” and “said” are intended to mean that there are one or more of the elements. The terms “comprising,” “including,” and “having” are intended to be inclusive and mean that there may be additional elements other than the listed elements.

The present disclosure is directed to OT devices having a policy undo capability that quickly and easily reverts an OT device to a policy associated with a previous known stable state. Specifically, a system may store an active policy and a backup policy in memory. The backup policy may be a policy associated with a last known stable state of the OT device and/or OT system. If an administrator determines that the active policy is not working as intended or has unanticipated side effects, the administrator provides a command to revert to the backup policy. In some embodiments, the command may be provided via a physical input device, such as a push button, or via a user interface of the OT device itself. The command may cause the OT device to retrieve the backup policy from memory and implement the backup policy. In other embodiments, the command may be provided via some other device on the OT network, such as a mobile device, a work station, a tablet, a human-machine interface (HMI), etc. In such embodiments, instructions may be transmitted to the OT device over the OT network to implement the backup policy. In some embodiments, the instructions transmitted over the OT network may include the backup policy, whereas in other embodiments, the instructions may reference a backup policy that is already stored in memory of the OT device, such that the instructions are smaller in size and can be more quickly and efficiently transmitted via the OT network. Additional details with regard to OT devices having a policy undo capability in accordance with the techniques described above will be provided below with reference to FIGS. 1-7.

By way of introduction, FIG. 1 is a schematic view of an example industrial automation system 10 in which the embodiments described herein may be implemented. As shown, the industrial automation system 10 includes a controller 12 and an actuator 14 (e.g., a motor). The industrial automation system 10 may also include, or be coupled to, a power source 16. The power source 16 may include a generator, an external power grid, a battery, or some other source of power. The controller 12 may be a stand-alone control unit that controls multiple industrial automation components (e.g., a plurality of motors 14), a controller 12 that controls the operation of a single automation component (e.g., motor 14), or a subcomponent within a larger industrial automation system 10. In the instant embodiment, the controller 12 includes a user interface 18, such as a human machine interface (HMI), and a control system 20, which may include a memory 22 and a processor 24. The controller 12 may include a cabinet or some other enclosure for housing various components of the industrial automation system 10, such as a motor starter, a disconnect switch, etc.

The control system 20 may be programmed (e.g., via computer readable code or instructions stored on the memory 22, such as a non-transitory computer readable medium, and executable by the processor 24) to provide signals for controlling the motor 14. In certain embodiments, the control system 20 may be programmed according to a specific configuration desired for a particular application. For example, the control system 20 may be programmed to respond to external inputs, such as reference signals, alarms, command/status signals, etc. The external inputs may originate from one or more relays or other electronic devices. The programming of the control system 20 may be accomplished through software or firmware code that may be loaded onto the internal memory 22 of the control system 20 (e.g., via a locally or remotely located computing device 26) or programmed via the user interface 18 of the controller 12. The control system 20 may respond to a set of operating parameters. The settings of the various operating parameters may determine the operating characteristics of the controller 12. For example, various operating parameters may determine the speed or torque of the motor 14 or may determine how the controller 12 responds to the various external inputs. As such, the operating parameters may be used to map control variables within the controller 12 or to control other devices communicatively coupled to the controller 12. These variables may include, for example, speed presets, feedback types and values, computational gains and variables, algorithm adjustments, status and feedback variables, programmable logic controller (PLC) control programming, and the like.

In some embodiments, the controller 12 may be communicatively coupled to one or more sensors 28 for detecting operating temperatures, voltages, currents, pressures, flow rates, and other measurable variables associated with the industrial automation system 10. With feedback data from the sensors 28, the control system 20 may keep detailed track of the various conditions under which the industrial automation system 10 may be operating. For example, the feedback data may include conditions such as actual motor speed, voltage, frequency, power quality, alarm conditions, etc. In some embodiments, the feedback data may be communicated back to the computing device 26 for additional analysis.

The computing device 26 may be communicatively coupled to the controller 12 via a wired or wireless connection. The computing device 26 may receive inputs from a user defining an industrial automation project using a native application running on the computing device 26 or using a website accessible via a browser application, a software application, or the like. The user may define the industrial automation project by writing code, interacting with a visual programming interface, inputting or selecting values via a graphical user interface, or providing some other inputs. The user may use licensed software and/or subscription services to create, analyze, and otherwise develop the project. The computing device 26 may send a project to the controller 12 for execution. Execution of the industrial automation project causes the controller 12 to control components (e.g., motor 14) within the industrial automation system 10 through performance of one or more tasks and/or processes. In some applications, the controller 12 may be communicatively positioned in a private network and/or behind a firewall, such that the controller 12 does not have communication access outside a local network and is not in communication with any devices outside the firewall, other than the computing device 26. The controller 12 may collect feedback data during execution of the project, and the feedback data may be provided back to the computing device 26 for analysis. Feedback data may include, for example, one or more execution times, one or more alerts, one or more error messages, one or more alarm conditions, one or more temperatures, one or more pressures, one or more flow rates, one or more motor speeds, one or more voltages, one or more frequencies, and so forth. The project may be updated via the computing device 26 based on the analysis of the feedback data.

The computing device 26 may be communicatively coupled to a cloud server 30 or remote server via the internet, or some other network. In one embodiment, the cloud server 30 may be operated by the manufacturer of the controller 12, a software provider, a seller of the controller 12, a service provider, operator of the controller 12, owner of the controller 12, etc. The cloud server 30 may be used to help customers create and/or modify projects, to help troubleshoot any problems that may arise with the controller 12, develop policies, or to provide other services (e.g., project analysis, enabling, restricting capabilities of the controller 12, data analysis, controller firmware updates, etc.). The remote/cloud server 30 may be one or more servers operated by the manufacturer, software provider, seller, service provider, operator, or owner of the controller 12. The remote/cloud server 30 may be disposed at a facility owned and/or operated by the manufacturer, software provider, seller, service provider, operator, or owner of the controller 12. In other embodiments, the remote/cloud server 30 may be disposed in a datacenter in which the manufacturer, software provider, seller, service provider, operator, or owner of the controller 12 owns or rents server space. In further embodiments, the remote/cloud server 30 may include multiple servers operating in one or more data center to provide a cloud computing environment.

FIG. 2 illustrates a block diagram of example components of a computing device 100 that could be used as the computing device 26, the cloud/remote server 30, the controller 12, or some other device within the system 10 shown in FIG. 1. As used herein, a computing device 100 may be implemented as one or more computing systems including laptop, notebook, desktop, tablet, HMI, or workstation computers, as well as server type devices or portable, communication type devices, such as cellular telephones and/or other suitable computing devices.

As illustrated, the computing device 100 may include various hardware components, such as one or more processors 102, one or more busses 104, memory 106, input structures 108, a power source 110, a network interface 112, a user interface 114, and/or other computer components useful in performing the functions described herein.

The one or more processors 102 may include, in certain implementations, microprocessors configured to execute instructions stored in the memory 106 or other accessible locations. Alternatively, the one or more processors 102 may be implemented as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and/or other devices designed to perform functions discussed herein in a dedicated manner. As will be appreciated, multiple processors 102 or processing components may be used to perform functions discussed herein in a distributed or parallel manner.

The memory 106 may encompass any tangible, non-transitory medium for storing data or executable routines. Although shown for convenience as a single block in FIG. 2, the memory 106 may encompass various discrete media in the same or different physical locations. The one or more processors 102 may access data in the memory 106 via one or more busses 104.

The input structures 112 may allow a user to input data and/or commands to the device 100 and may include mice, touchpads, touchscreens, keyboards, controllers, and so forth. The power source 114 can be any suitable source for providing power to the various components of the computing device 100, including line and battery power. In the depicted example, the device 100 includes a network interface 116. Such a network interface 116 may allow communication with other devices on a network using one or more communication protocols. In the depicted example, the device 100 includes a user interface 118, such as a display that may display images or data provided by the one or more processors 102. The user interface 118 may include, for example, a monitor, a display, and so forth. As will be appreciated, in a real-world context a processor-based system, such as the computing device 100 of FIG. 2, may be employed to implement some or all of the present approach, such as performing the functions of the controller, the computing device 26, and/or the cloud/remote server 30 shown in FIG. 1, as well as other memory-containing devices.

FIG. 3 is a perspective view of an example of the industrial automation system 10 of FIG. 1. The industrial automation system 10 includes stations 200, 202, 204, 206, 208, 210, 212, 214 having machine components and/or machines to conduct functions within an automated process, such as silicon wafer manufacturing, as is depicted. The automated process may begin at a station 200 used for loading objects, such as substrates, into the industrial automation system 10 via a conveyor section 216. For example, objects may be transported along the conveyor section 216 to station 202 to perform a first action, such a printing solder paste to the substrate via stenciling. As objects exit from the station 202, the objects may be transported via the conveyor section 216 to a station 204 for solder paste inspection (SPI) to inspect printer results, to a station 206, 208, and 210 for surface mount technology (SMT) component placement, to a station 212 for convection reflow oven to melt the solder to make electrical couplings, and finally to a station 214 for automated optical inspection (AOI) to inspect the object manufactured (e.g., the manufactured printed circuit board). After the objects proceed through the various stations, the objects may be removed from the station 14H, for example, for storage in a warehouse or for shipment. It should be understood, however, that for other applications, the particular system, machine components, machines, stations, and/or conveyors may be different or specially adapted to the application.

For example, the industrial automation system 10 may include machinery to perform various operations in a compressor station, an oil refinery, a batch operation for making food items, chemical processing operations, brewery operations, mining operations, a mechanized assembly line, and so forth. Accordingly, the industrial automation system 10 may include a variety of operational components, such as electric motors, valves, actuators, temperature elements, pressure sensors, or a myriad of machinery or devices used for manufacturing, processing, material handling, and other applications. The industrial automation system 10 may also include electrical equipment, hydraulic equipment, compressed air equipment, steam equipment, mechanical tools, protective equipment, refrigeration equipment, power lines, hydraulic lines, steam lines, and the like. Some example types of equipment may include mixers, machine conveyors, tanks, skids, specialized original equipment manufacturer machines, and the like. In addition to the equipment described above, the industrial automation system 10 may also include motors, protection devices, switchgear, compressors, and the like. Each of these described operational components may correspond to and/or generate a variety of operational technology (OT) data regarding operation, status, sensor data, operational modes, alarm conditions, or the like, that may be desirable to output for analysis with IT data from an IT network, for storage in an IT network, for analysis with expected operation set points (e.g., thresholds), or the like.

In certain embodiments, one or more properties of the industrial automation system 10 equipment, such as the stations 200, 202, 204, 206, 208, 210, 212, 214, may be monitored and controlled by the industrial control systems 20 for regulating control variables. For example, sensing devices (e.g., sensors 218) may monitor various properties of the industrial automation system 10 and may be used by the industrial control systems 20 at least in part in adjusting operations of the industrial automation system 10 (e.g., as part of a control loop). In some cases, the industrial automation system 10 may be associated with devices used by other equipment. For instance, scanners, gauges, valves, flow meters, and the like may be disposed on or within the industrial automation system 10. Here, the industrial control systems 20 may receive data from the associated devices and use the data to perform their respective operations more efficiently. For example, a controller of the industrial automation system 10 associated with a motor drive may receive data regarding a temperature of a connected motor and may adjust operations of the motor drive based on the data.

The industrial control systems 20 may include or be communicatively coupled to the display/operator interface 18 (e.g., a human-machine interface (HMI)) and to devices of the industrial automation system 10. It should be understood that any suitable number of industrial control systems 20 may be used in a particular industrial automation system 10 embodiment. The industrial control systems 20 may facilitate representing components of the industrial automation system 10 through programming objects that may be instantiated and executed to provide simulated functionality similar or identical to the actual components, as well as visualization of the components, or both, on the display/operator interface 18. The programming objects may include code and/or instructions stored in the industrial control systems 20 and executed by processing circuitry of the industrial control systems 20. The processing circuitry may communicate with memory circuitry to permit the storage of the component visualizations.

As illustrated, a display/operator interface 18 may be configured to depict representations 220 of the components of the industrial automation system 10. The industrial control system 20 may use data transmitted by the sensors 218 to update visualizations of the components via changing one or more statuses, states, and/or indications of current operations of the components. These sensors 218 may be any suitable device adapted to provide information regarding process conditions. Indeed, the sensors 218 may be used in a process loop (e.g., control loop) that may be monitored and controlled by the industrial control system 20. As such, a process loop may be activated based on process inputs (e.g., an input from the sensor 218) or direct input from a person via the display/operator interface 18. The person operating and/or monitoring the industrial automation system 10 may reference the display/operator interface 18 to determine various statuses, states, and/or current operations of the industrial automation system 10 and/or for a particular component. Furthermore, the person operating and/or monitoring the industrial automation system 10 may adjust to various components to start, stop, power-down, power-on, or otherwise adjust an operation of one or more components of the industrial automation system 10 through interactions with control panels or various input devices.

The industrial automation system 10 may be considered a data-rich environment with several processes and operations that each respectively generate a variety of data. For example, the industrial automation system 10 may be associated with material data (e.g., data corresponding to substrate or raw material properties or characteristics), parametric data (e.g., data corresponding to machine and/or station performance, such as during operation of the industrial automation system 10), test results data (e.g., data corresponding to various quality control tests performed on a final or intermediate product of the industrial automation system 10), or the like, that may be organized and sorted as OT data. In addition, sensors 218 may gather OT data indicative of one or more operations of the industrial automation system 10 or the industrial control system 20. In this way, the OT data may be analog data or digital data indicative of measurements, statuses, alarms, or the like associated with operation of the industrial automation system 10 or the industrial control system 20.

The industrial control systems 12 described above may operate in an OT space in which OT data is used to monitor and control OT assets, such as the equipment illustrated in the stations 200, 202, 204, 206, 208, 210, 212, 214 of the industrial automation system 10 or other industrial equipment. The OT space, environment, or network generally includes direct monitoring and control operations that are coordinated by the industrial control system 20 and a corresponding OT asset. For example, a programmable logic controller (PLC) may operate in the OT network to control operations of an OT asset (e.g., drive, motor, and/or high-level controllers). The industrial control systems 20 may be specifically programmed or configured to communicate directly with the respective OT assets.

A container orchestration system 222, on the other hand, may operate in an information technology (IT) environment. That is, the container orchestration system 222 may include a cluster of multiple computing devices that coordinates an automatic process of managing or scheduling work of individual containers for applications within the computing devices of the cluster. In other words, the container orchestration system 222 may be used to automate various tasks at scale across multiple computing devices. By way of example, the container orchestration system 222 may automate tasks such as configuring and scheduling deployment of containers, provisioning and deploying containers, determining availability of containers, configuring applications in terms of the containers that they run in, scaling of containers to equally balance application workloads across an infrastructure, allocating resources between containers, performing load balancing, traffic routing, and service discovery of containers, performing health monitoring of containers, securing the interactions between containers, and the like. In any case, the container orchestration system 222 may use configuration files to determine a network protocol to facilitate communication between containers, a storage location to save logs, and the like. The container orchestration system 222 may also schedule deployment of containers into clusters and identify a host (e.g., node) that may be best suited for executing the container. After the host is identified, the container orchestration system 222 may manage the lifecycle of the container based on predetermined specifications.

With the foregoing in mind, it should be noted that containers refer to technology for packaging an application along with its runtime dependencies. That is, containers include applications that are decoupled from an underlying host infrastructure (e.g., operating system). By including the run time dependencies with the container, the container may perform in the same manner regardless of the host in which it is operating. In some embodiments, containers may be stored in a container registry 224 as container images 226. The container registry 224 may be any suitable data storage or database that may be accessible to the container orchestration system 222. The container image 226 may correspond to an executable software package that includes the tools and data employed to execute a respective application. That is, the container image 226 may include related code for operating the application, application libraries, system libraries, runtime tools, default values for various settings, and the like.

By way of example, an integrated development environment (IDE) tool may be employed by a user to create a deployment configuration file that specifies a desired state for the collection of nodes of the container orchestration system 222. The deployment configuration file may be stored in the container registry 224 along with the respective container images 226 associated with the deployment configuration file. The deployment configuration file may include a list of different pods and a number of replicas for each pod that should be operating within the container orchestration system 222 at any given time. Each pod may correspond to a logical unit of an application, which may be associated with one or more containers. The container orchestration system 222 may coordinate the distribution and execution of the pods listed in the deployment configuration file, such that the desired state is continuously met. In some embodiments, the container orchestration system 222 may include a master node that retrieves the deployment configuration files from the container registry 224, schedules the deployment of pods to the connected nodes, and ensures that the desired state specified in the deployment configuration file is met. For instance, if a pod stops operating on one node, the master node may receive a notification from the respective worker node that is no longer executing the pod and deploy the pod to another worker node to ensure that the desired state is present across the cluster of nodes.

As mentioned above, the container orchestration system 222 may include a cluster of computing devices, computing systems, or container nodes that may work together to achieve certain specifications or states, as designated in the respective container. In some embodiments, container nodes 228 may be integrated within industrial control systems 20 as shown in FIG. 3. That is, container nodes 228 may be implemented by the industrial control systems 20, such that they appear as worker nodes to the master node in the container orchestration system 222. In this way, the master node of the container orchestration system 222 may send commands to the container nodes 228 that are also configured to perform applications and operations for the respective industrial equipment.

With this in mind, the container nodes 228 may be integrated with the industrial control systems 20, such that they serve as passive-indirect participants, passive-direct participants, or active participants of the container orchestration system 222. As passive-indirect participants, the container nodes 228 may respond to a subset of all of the commands that may be issued by the container orchestration system 222. In this way, the container nodes 228 may support limited container lifecycle features, such as receiving pods, executing the pods, updating a respective filesystem to included software packages for execution by the industrial control system 20, and reporting the status of the pods to the master node of the container orchestration system 222. The limited features implementable by the container nodes 228 that operate in the passive-indirect mode may be limited to commands that the respective industrial control system 20 may implement using native commands that map directly to the commands received by the master node of the container orchestration system 222. Moreover, the container node 228 operating in the passive-indirect mode of operation may not be capable to push the packages or directly control the operation of the industrial control system 20 to execute the package. Instead, the industrial control system 20 may periodically check the file system of the container node 228 and retrieve the new package at that time for execution.

As passive-direct participants, the container nodes 228 may operate as a node that is part of the cluster of nodes for the container orchestration system 222. As such, the container node 228 may support the full container lifecycle features. That is, container node 228 operating in the passive-direct mode may unpack a container image and push the resultant package to the industrial control system 20, such that the industrial control system 20 executes the package in response to receiving it from the container node 228. As such, the container orchestration system 222 may have access to a worker node that may directly implement commands received from the master node onto the industrial control system 20.

In the active participant mode, the container node 228 may include a computing module or system that hosts an operating system (e.g., Linux) that may continuously operate a container host daemon that may participate in the management of container operations. As such, the active participant container node 228 may perform any operations that the master node of the container orchestration system 222 may perform. By including a container node 228 operating in the OT space, the container orchestration system 222 is capable of extending its management operations into the OT space. That is, the container node 228 may provision devices in the OT space, serve as a proxy node 230 to provide bi-directional coordination between the IT space and the OT space, and the like. For instance, the container node 228 operating as the proxy node 230 may intercept orchestration commands and cause industrial control system 20 to implement appropriate machine control routines based on the commands. The industrial control system 20 may confirm the machine state to the proxy node 230, which may then reply to the master node of the container orchestration system 222 on behalf of the industrial control system 20.

Additionally, the industrial control system 20 may share an OT device tree via the proxy node 230. As such, the proxy node 230 may provide the master node with state data, address data, descriptive metadata, versioning data, certificate data, key information, and other relevant parameters concerning the industrial control system 20. Moreover, the proxy node 230 may issue requests targeted to other industrial control systems 20 to control other OT devices. For instance, the proxy node 230 may translate and forward commands to a target OT device using one or more OT communication protocols, may translate and receive replies from the OT devices, and the like. As such, the proxy node 230 may perform health checks, provide configuration updates, send firmware patches, execute key refreshes, and other OT operations for other OT devices.

FIG. 4 illustrates a block diagram that depicts the relative positions of the container node 228 and the proxy node 230 with respect to the container orchestration system 222. As mentioned above, the container orchestration system 222 may include a collection of nodes that are used to achieve a desired state of one or more containers across multiple nodes. As shown in FIG. 4, the container orchestration system 222 may include a master node 300 that may execute control plane processes for the container orchestration system 222. The control plane processes may include the processes that enable the container orchestration system 222 to coordinate operations of the container nodes 228 to meet the desired states. As such, the master container node 300 may execute an applications programming interface (API) for the container orchestration system 222, a scheduler component, core resource controllers, and the like. By way of example, the master container node 300 may coordinate all of the interactions between nodes of the cluster that make up the container orchestration system 222. Indeed, the master container node 300 may be responsible for deciding the operations that will run on container nodes 228 including scheduling workloads (e.g., containerized applications), managing the workloads' lifecycle, scaling, and upgrades, managing network and storage resources for the workloads, and the like. The master container node 300 may run an API server to handle requests and status updates received from the container nodes 228.

By way of operation, an integrated development environment (IDE) tool 302 may be used by an operator to develop a deployment configuration file 304. As mentioned above, the deployment configuration file 304 may include details regarding the containers, the pods, constraints for operating the containers/pods, and other information that describe a desired state of the containers specified in the deployment configuration file 304. In some embodiments, the deployment configuration file 304 may be generated in a YAML file, a JSON file, or other suitable file format that is compatible with the container orchestration system 222. After the IDE tool 302 generates the deployment configuration file 304, the IDE tool 302 may transmit the deployment configuration file 304 to the container registry 224, which may store the file along with container images 226 representative of the containers stored in the deployment configuration file 304.

In some embodiments, the master container node 300 may receive the deployment configuration file 304 via the container registry 224, directly from the IDE tool 302, or the like. The master container node 300 may use the deployment configuration file 304 to determine a location to gather the container images 226, determine communication protocols to use to establish networking between container nodes 228, determine locations for mounting storage volumes, locations to store logs for the containers, and the like.

Based on the desired state provided in the deployment configuration file 304, the master container node 300 may deploy containers to the container host nodes 228. That is, the master container node 300 may schedule the deployment of a container based on constraints (e.g., CPU or memory availability) provided in the deployment configuration file 304. After the containers are operating on the container nodes 228, the master container node 300 may manage the lifecycle of the containers to ensure that the containers specified by the deployment configuration file 304 are operating according to the specified constraints and the desired state.

Keeping the foregoing in mind, the industrial control system 20 may not use an operating system (OS) that is compatible with the container orchestration system 222. That is, the container orchestration system 222 may be configured to operate in the IT space that involves the flow of digital information. In contrast, the industrial control system 20 may operate in the OT space that involves managing the operation of physical processes and the machinery used to perform those processes. For example, the OT space may involve communications that are formatted according to OT communication protocols, such as FactoryTalk LiveData, EtherNet/IP. Common Industrial Protocol (CIP), OPC Access (e.g., machine to machine communication protocol for industrial automation developed by the OPC Foundation), OPC Unified Architecture (OPCUA), or any suitable OT communication protocol (e.g. DNP3, Modbus, Profibus, LonWorks, DALI, BACnet, KNX, EnOcean). Because the industrial control systems 20 operate in the OT space, the industrial control systems may not be capable of implementing commands received via the container orchestration system 222.

In certain embodiments, the container node 228 may be programmed or implemented in the industrial control system 20 to serve as a node agent that can register the industrial control system 20 with the master container node 300. The node agent may or may not be the same as the proxy node 230 shown in FIG. 3. For example, the industrial control system 20 may include a PLC that cannot support an operating system (e.g., Linux) for receiving and/or implementing requested operations issued by the container orchestration system 222. However, the PLC may perform certain operations that may be mapped to certain container events. As such, the container node 228 may include software and/or hardware components that may map certain events or commands received from the master container node 300 into actions that may be performed by the PLC. After converting the received command into a command interpretable by the PLC, the container node 228 may forward the mapped command to the PLC that may implement the mapped command. As such, the container node 228 may operate as part of the cluster of nodes that make up the container orchestration system 222, while a first control system 306 (e.g., PLC) that coordinates the OT operations for a second OT device 308 in the industrial control system 12. The first control system 306 may include a controller, such as a PLC, an HLC, a programmable automation controller (PAC), or any other controller that may monitor, control, and operate an industrial automation device or component.

The OT device 308 may correspond to an industrial automation device or component. The OT device 308 may include any suitable industrial device that operates in the OT space. As such, the OT device 308 may be involved in adjusting physical processes being implemented via the industrial system 10. In some embodiments, the OT device 308 may include motor control centers, motors, HMIs, operator interfaces, contactors, starters, sensors, drives, relays, protection devices, switchgear, compressors, network switches (e.g., Ethernet switches, modular-managed, fixed-managed, service-router, industrial, unmanaged, etc.) and the like. In addition, the OT device 308 may also be related to various industrial equipment such as mixers, machine conveyors, tanks, skids, specialized original equipment manufacturer machines, and the like. The OT device 308 may also be associated with devices used by the equipment such as scanners, gauges, valves, flow meters, and the like.

In the present embodiments described herein, the control system 306 may thus perform actions based on commands received from the container node 228. By mapping certain container lifecycle states into appropriate corresponding actions implementable by the control system 306, the container node 228 enables program content for the industrial control system 20 to be containerized, published to certain registries, and deployed using the master container node 300, thereby bridging the gap between the IT-based container orchestration system 222 and the OT-based industrial control system 20.

In some embodiments, the container node 228 may operate in an active mode, such that the container node may invoke container orchestration commands for other container nodes 228. For example, a proxy node 230 may operate as a proxy or gateway node that is part of the container orchestration system 222. The proxy node 230 may be implemented in a sidecar computing module that has an operating system (OS) that supports the container host daemon. In another embodiment, the proxy node 230 may be implemented directly on a core of the control system 306 that is configured (e.g., partitioned), such that the control system 306 may operate using an operating system that allows the container node 228 to execute orchestration commands and serve as part of the container orchestration system 222. In either case, the proxy node 230 may serve as a bi-directional bridge for IT/OT orchestration that enables automation functions to be performed in IT devices based on OT data and in OT devices 308 based on IT data. For instance, the proxy node 230 may acquire OT device tree data, state data for an OT device, descriptive metadata associated with corresponding OT data, versioning data for OT devices 308, certificate/key data for the OT device, and other relevant OT data via OT communication protocols. The proxy node 230 may then translate the OT data into IT data that may be formatted to enable the master container node 300 to extract relevant data (e.g., machine state data) to perform analysis operations and to ensure that the container orchestration system 222 and the connected control systems 306 are operating at the desired state. Based on the results of its scheduling operations, the master container node 300 may issue supervisory control commands to targeted OT devices via the proxy nodes 230, which may translate and forward the translated commands to the respective control system 306 via the appropriate OT communication protocol.

In addition, the proxy node 230 may also perform certain supervisory operations based on its analysis of the machine state data of the respective control system 306. As a result of its analysis, the proxy node 230 may issue commands and/or pods to other nodes that are part of the container orchestration system 222. For example, the proxy node 230 may send instructions or pods to other worker container nodes 228 that may be part of the container orchestration system 222. The worker container nodes 228 may corresponds to other container nodes 228 that are communicatively coupled to other control systems 306 for controlling other OT devices 308. In this way, the proxy node 230 may translate or forward commands directly to other control systems 306 via certain OT communication protocols or indirectly via the other worker container nodes 228 associated with the other control systems 306. In addition, the proxy node 230 may receive replies from the control systems 306 via the OT communication protocol and translate the replies, such that the nodes in the container orchestration system 222 may interpret the replies. In this way, the container orchestration system 222 may effectively perform health checks, send configuration updates, provide firmware patches, execute key refreshes, and provide other services to OT devices 308 in a coordinated fashion. That is, the proxy node 230 may enable the container orchestration system to coordinate the activities of multiple control systems 306 to achieve a collection of desired machine states for the connected OT devices 308.

As shown in FIG. 4, the industrial automation system 10 may include one or more edge device 314 that automatically deploy, enforce, and/or implement one or more policies or policy updates to one or more policy enforcement points (e.g., OT assets 306, 308) within the industrial automation system 10. In some embodiments, the edge device 314 may itself act as a policy enforcement point. As used herein, an “edge device” 314 is a device within the industrial automation system 10 that controls data flow within the industrial automation system 10 (e.g., the OT network) as well as between the industrial automation system 10 (e.g., the OT network) and an IT network 312 (e.g., the IT network). For example, the edge device 314 may be a router, a switch, or the like. In certain embodiments, the edge device 314 may receive a policy update (e.g., a security update) from the network 312 that may include, for example, an enterprise system, a server device, a plant management system, or the like. The enterprise system may include software and/or hardware components that support business processes, information flows, reporting, data analytics, and the like for an enterprise. The server device may include a policy server that manages communication between the components of the industrial automation system 10. That is, the policy server may manage one or more policies that include provisions or instructions that detail how communication between the components of the industrial automation system 10 is performed. As such, the server device 30 may implement a policy (e.g., a security update) related to centrally managing communications between the components of the industrial automation system 10. The plant management system may include any suitable management computing system that receives data from a number of control systems (e.g., industrial control systems 20). As such, the plant management system may track operations of one or more facilities and one or more locations. In addition, the plant management system may issue control commands to the components of the industrial automation system 10.

A policy is a set of one or more rules or procedures that govern access and use of an organization's OT assets (e.g., industrial automation devices associated with OT machines). Characteristics of policies may include confidentiality, availability, integrity, authentication, operation, and non-repudiation of the organization's OT assets. A policy may include a set of two or more setting that identify data or information for components of the industrial automation system 10, or endpoints thereof, that are to be trusted, information regarding which communication ports to use, and the like. As such, a policy sets forth provisions that may govern management of OT assets, access to such assets, backups of such assets, security of such assets, operation of such assets, and the like. For example, a policy may define provisions addressing acceptable usage of OT/IT assets, antivirus management, data backup and disaster recovery, change management, cryptography usage, data and asset classification, data retention, data support and operations, data usage, email/messaging protection policies, user identity and access management, incident response, threat protection, internet usage restrictions, mobile device policy, OT/IT network security, password and credential protocols, firmware/patch management, personnel security, physical and environmental security, malware/spyware/ransomware detection, system update schedules, wireless network access, guest access, and so forth. Accordingly, a policy may govern, for example, how to manage who has access to what OT devices, what files and/or communications should be encrypted, what ports can be used for what purposes, characteristics of passwords (e.g., number of characters, upper and lower case letters, numbers, special characters), how often users must change their passwords, how often backups are done, how long backups are retained, guidelines for accessing wireless internet, what happens when a threat occurs, processes for onboarding/offboarding users as they start and leave positions, the process that occurs when a user changes roles, maintenance procedures, and so forth.

As used herein, a “policy update” may refer to a new policy, or set of policies, to be implemented by the OT asset or enforced at one or more policy enforcement points within the industrial automation system 10, an update to an existing policy implemented by the OT asset or enforced at the one or more policy enforcement points within the industrial automation system 10, a new setting to be implemented by the OT asset, an update to an existing setting implemented by the OT asset, a new rule to be implemented by the OT asset, an update to an existing rule implemented by the OT asset, software (e.g., code) to be implemented by the OT asset, an update to at least a portion of software (e.g., code) implemented by the OT asset, data (e.g., configuration data) to be utilized by the software implemented by the OT asset, an update to existing data (e.g., configuration data) utilized by the software implemented by the OT asset, a new version of firmware to be implemented by the OT asset, an update to an existing version of firmware implemented by the OT asset, or the like. After receiving one or more policy updates from the network 316, the edge device 314 may push a policy update to the components of the industrial automation system 10, or the components of the industrial automation system 10 may pull the policy update from the edge device 314.

Policies may be developed and implemented based on design artifacts of the industrial automation system 10 and/or information about the architecture of the industrial automation system 10 and how the industrial automation system 10 is intended to operate (e.g., product being produced, industry, location, anticipated operating conditions, and so forth). Further, once a set of policies have been implemented and/or enforced at one or more policy enforcement points while the industrial automation system 10 is operating, data collected during the operation of the industrial automation system 10 (e.g., run-time data, help ticket data, incident data, vulnerability data, data received from one or more service providers, one or more customers, one or more partner organizations, one or more suppliers, and so forth) may be used to generate recommended updates to the current set of implemented and/or enforced policies.

FIG. 5 illustrates a schematic of an architecture 400 for managing policies within an enterprise 402. As shown, the enterprise 402 may operate multiple facilities 404, each having one or more industrial automation systems 10, managed by one or more computing devices 26. Operations of each facility 404 may be managed by one or more computing devices 26 that may be on premises at the facility or located remote from the facility 404. Though not shown, in some embodiments, some facilities 404 may be further subdivided into areas having one or more industrial automation systems 10 under the control of a respective management system (e.g., a computing device 26 running control software). The industrial automation systems 10 may be disposed behind firewalls and/or within private networks defined by one or more firewalls. A single private network may encompass an entire facility 404, an area of a facility 404 that includes one or more industrial automation systems 10, or individual industrial automation systems 10 within a facility 404, or spanning multiple facilities 404. One or more computing devices 26 disposed throughout the enterprise 402, may run software for managing operations of the enterprise 402.

For example, a user may utilize a policy management tool to manage policies for the entire enterprise 402. That is, the policy management tool may be utilized to create new policies, edit existing policies, remove existing policies, activate policies, deactivate policies, deploy specific policies to specific facilities 404, areas, industrial automation systems 10, and/or devices operated by the enterprise, and/or make adjustments to how policies are enforced throughout the enterprise 402. In some embodiments, policies may only be managed downstream of where the policy management tool is instantiated. For example, a user accessing the policy management tool may be able to manage policies for the entire enterprise 402, whereas a user accessing the policy management tool at Facility 1 may be able to manage policies within Facility 1, but may not be authorized to manage policies for Facility N. Similarly, a user accessing the policy management tool via Facility N may only be able to manage policies for the industrial automation systems 10 that are within the facility 404 (e.g., OT SYS-1 and OT SYS-2, but not OT SYS-N). However, in other embodiments, authority to manage policies within an enterprise 402 may be determined based on other factors, such as authority granted to specific users or user profiles, the type of policies to be managed, components affected by changes, etc.

Computing devices 26 within the enterprise 402 that run the policy management tool may act as enforcement points for policies or otherwise facilitate enforcement of policies within the enterprise 402. For example, if a user makes a modification to a policy, the modification is reflected in the other instantiations of the policy management tool throughout the enterprise 402 such that Facility 1 may make sure that the policy is enforced as modified by the industrial automation systems 10 within the facility 404. However, it should be understood that computing devices 26 running the policy management tool may not be the only enforcement points within an enterprise 402. Indeed, other devices, such as edge devices, firewalls, controllers, and even industrial automation systems 10 themselves may act as policy enforcement points.

The policy management tool may also be used to analyze collected data to develop new policies and/or modifications to existing policies. In some embodiments, the collected data may be discovery data and/or network topology data that may be analyzed to determine characteristics of the OT network and, in some embodiments, generate visualizations (e.g., network maps) of the OT network. Specifically, characteristic information (e.g., IP addresses, MAC addresses, serial numbers, etc.) may be used to identify and/or characterize components that appear in data until a topology (e.g., map) of the whole OT network can be generated. In such embodiments, the data may include a manufacturer name, a product name, a model name, a model number, a serial number, a firmware version, a software version, a port status, captured network traffic, Common Industrial Protocol (CIP) discovery data, link layer discovery protocol (LLDP) data, network traffic data, Open Platform Communications Unified Architecture (OPC-UA) data, and so forth. Data 406 may also be collected from the industrial automation systems 10 in a facility 404 during operation. The collected data may include, for example, design artifacts, help ticket data, incident data, vulnerability data, network traffic data, captured network traffic (e.g., data packets), device logs, data received from one or more service providers, notes provided by an operator, software/firmware update data, warning data, error code data, operational data, temperature data, pressure data, speed/rotation data, quality control data, and so forth. Design artifacts and/or operational data 406 may be aggregated and used to generate recommended policies 408 or modifications to existing policies (e.g., via a policy development engine 410). The recommended policies 408 are implemented and/or enforced (e.g., via one or more policy enforcement points) within the enterprise 402 and/or distributed to the facilities 404 or particular industrial automation systems 10 within the enterprise 402. Once policies 408, or updates to policies, have been implemented and/or enforced, new data 406 may be collected and used to retrain and/or refine the policy development, or to evaluate revised policies 408.

Though the embodiment shown in FIG. 5 uses the computing device 26 at the enterprise level to aggregate data 406, interface with or run the policy development engine 410, and implement, enforce, and/or disseminate policies 408, it should be understood that embodiments are envisaged in which computing devices at the facility, system, or device level performs these functions. That is, aggregating data 406, running the policy development engine 410, and implementing/enforcing policies 408 may be performed at various levels of an enterprise's structure (e.g., the device level, the system level, the facility level, the enterprise level, one or more intermediate levels, or distributed among multiple levels).

In some embodiments, the policy development engine 410 may be run on an edge device in an OT network. In such embodiments, the edge device may receive design artifacts and/or run-time data 406 from one or more devices on an OT network, input the received data to a policy development engine 410 running on the edge device, and generate a set of recommended policies, which may be automatically implemented/enforced, presented to a user for approval, presented to a user for consideration, or some combination thereof, via the policy management tool. The policy development engine 410 may run on a processor of the edge device within an operating system, or the policy development engine 410 may run in a container that is managed by the container orchestration system 222 of FIGS. 3 and 4 (e.g., Docker, KUBERNETES®) instead of, or in addition to, the edge device. As previously described, the container orchestration system may operate in an IT environment and may include a cluster of multiple computing devices that coordinates an automatic process of managing or scheduling work of individual containers (e.g., operating system level virtualization) for applications within the computing devices of the cluster. In other words, the container orchestration system may be used to automate various tasks at scale across multiple computing devices.

In some embodiments, the enterprise 402 may purchase or subscribe to services 412, such as machine learning models, training data for training machine learning models, and/or recommended policies to the enterprise 402, provided by a service provider 30. In some embodiments, the enterprise may collect data 414 to transmit to the service provider 30 that provides some information about the effectiveness of the policies deployed within the enterprise 402. Accordingly, the service provider 30 may use data 414 collected from one or more customer enterprises 402 to improve machine learning models and/or the training data provided to the enterprises 402. Customers may choose to opt in or opt out of providing data 414 to the service provider 30. In some cases, because enterprises may be hesitant to share data, data may be anonymized, masked, pseudonymized, generalized, or otherwise scrubbed before being transmitted to the service provider. For example, characteristic data elements (e.g., names, addresses, IP addressed, MAC addresses, phone numbers, network names, passwords, employee names, employee numbers, employee information, etc.) within the data 414 may be identified and removed and/or changed before being transmitted. Further, data elements related to industrial processes, settings of the industrial automation systems, set points, trade secrets, intellectual property, or other proprietary information may be identified and removed or changed before being transmitted. Further, the service provider 30 may take additional steps to secure the data received by the enterprise 402, such as using a secure communication channel, encrypting data for transmission, encrypting data for storage, and so forth.

As OT systems 10 become more connected and complex, policy management may become more dynamic, resulting in more frequent changes to policies. For example, as shown in FIG. 5, an enterprise 402 may use a service provider 30 to provide suggestions 412 for how to improve its operations and/or run more efficiently, notifications about possible security vulnerabilities for the enterprise, and so forth. Further, software updates, firmware updates, new hardware, changes to industry standards, changes to laws/regulations, etc. may lead an enterprise to implement new policies or modify existing policies to better fit the changing environment. However, given the complexity of modern OT systems 10, it may be difficult to predict all of the ways that a new or modified policy impacts an OT system. If a new or modified policy has unintended and/or unanticipated impacts on an OT system 10, having the ability to quickly and easily revert back to one or more policies associated with the last known stable state, or a previously known stable state, may help to reduce, minimize, or completely eliminate downtime or outages. Further, knowing they can revert to a policy associated with a known stable state may give administrators the confidence to frequently create new policies and update existing policies to address vulnerabilities as they arise and keep the enterprise running efficiently without fear of excessive down time or outages. Accordingly, the present techniques are directed to OT systems 10 and/or devices that have the capability to revert to a backup policy if a problem arises running an active policy.

FIG. 6 is a schematic of an OT system 10 having one or more OT devices 308 with a policy undo capability. The OT devices 308 may include motor control centers, motors, HMIs, operator interfaces, contactors, starters, sensors, drives, relays, protection devices, switchgear, compressors, network switches (e.g., Ethernet switches, modular-managed, fixed-managed, service-router, industrial, unmanaged, etc.), edge devices, mixers, machine conveyors, tanks, skids, specialized original equipment manufacturer machines, scanners, gauges, valves, flow meters, and the like. Each of the OT devices 308 may include a memory 106, a processor 102, and in some cases, a network interface 116. Though not shown, it should be understood that the OT devices 308 may include other components, such as a power source, a user interface, input structures, sensors, actuators, etc.

The memory 106 of each OT device 308 may include volatile and non-volatile memory. The memory 106 may be configured to store policies 500, which may include one or more active policies 502 and one or more backup policies 504. Though not shown, the memory 106 may also store various other data, such as operational data, configuration data, user profile data, system data, sensor data, databases and/or database tables, routines, control programs/files, instructions defining applications, programs, algorithms, scripts, machine learning models, and so forth.

The policies 500 may be defined as a set of two or more settings that set forth how the OT device 308 is configured, how the OT device 308 operates, and/or how the OT device may be accessed. For example, policies 500 may dictate network addresses, how network addresses are assigned, allowed communication ports, allowed operational parameters, allowed configuration settings, groups of allowed settings during operation, who is allowed to access what devices, etc. Policies 500 may be defined by text, scripts, portions of code, and so forth. The policies may be written directly by a user (e.g., a control engineer), or generated based on inputs provided by a user (e.g., via a graphical user interface). In some embodiments, policies 500 may be generated on or by the OT device 308, whereas in other embodiments, policies 500 may be generated on a different device (e.g., a computing device) and provided to the OT device 308 (e.g., as a patch or a policy update) through the IT/OT network. Accordingly, in some embodiments, policies 500 may be defined and deployed within an OT network in bulk, crosschecked at the system level, deployed, and only accessible by authorized parties. In other embodiments, policies may be defined and deployed with specific OT devices 308 in mind. For larger enterprises, policies may be defined by control engineers and then loaded onto OT devices by an OT administrator.

The active policies 502 are stored in memory 106 and are the policies that are actively enforced by the OT device 308. Accordingly, the active policies 502 may be stored in the memory 106 separate (e.g., different partition or different memory all together) from the backup policies 504, or may be otherwise distinguished from the backup policies 504 using tags, labels, flags, and so forth. During enforcement of the active policies 502, the OT device 308 may receive data indicative of an event to which the OT device 308 may respond. The event may be, for example, a request for access, a request for data, instructions to change configurations or settings, and so forth. The OT device 308 may receive and process the received data and then reference the active policies 502 to determine what action, if any, should be taken. For example, if the event is a request for access to the OT device 308, the OT device may determine whether the active policies 502 authorize access to the requesting device and then allow or deny access based upon the active policies 502.

The backup policies 504 are also stored in memory 106, but are not actively enforced by the OT device 308. As previously discussed, the backup policies 504 may be stored in the memory 106 separate (e.g., different partition or different memory all together) from the active policies 502, or may be otherwise distinguished from the active policies 502 using tags, labels, flags, and so forth. Backup policies 504 may be stored in memory 106 and retrieved by the processor 102, a compute surface of the OT device, a container, etc. in response to receiving a command to revert from the active policy to the backup policy. As shown in FIG. 6, the command to revert from the active policy 502 to the backup policy 504 may be received in different ways. In one embodiment, the OT device 308 may include a policy undo switch 506 which may be a hardware (e.g., mechanical switch, push button, etc.) switch on the device 308 itself (e.g., on an exterior housing of the OT device 308), or may be included on a user interface of the device 308 via a display screen. In other embodiments, the command may be received across the OT network via the network interface 116. In such embodiments, the command to revert from the active policy 502 to the backup policy 504 may be generated by a device on the OT network, such as a computing device, a tablet, a mobile device, an HMI, an edge device, another OT device, an OT control system, a PLC, etc. The command may include a file that includes the backup policy to be implemented. However, in other embodiments, the command may be a lightweight command that merely identifies, references, or otherwise points to a backup policy already stored in memory 106 of the OT device 308 to be implemented. Such a command may be considered lightweight because the command is smaller in size than a similar command that includes the backup policy, thus allowing the lightweight command to be transmitted across the OT network faster and more efficiently that the command that includes the backup policy.

Upon receiving the command to revert to the backup policy, the OT device 308 may retrieve the backup policy 504 from memory, update the active policy 502 to indicate that it is no longer active, update the backup policy 504 to indicate that it is now active, and then implement the backup policy 504 going forward. Updating the policies 500 may include updating storage locations (e.g., different partition or different memory all together), tags, labels, flags, and so forth associated with the policies 500 to indicate their respective statuses. Further, retrieving policies, updating policies, and implementing policies may be done via the processor 102 of the OT device 308, a compute surface of the OT device 308, a container running on the OT device 308, another device on the OT network, such as a computing device, a tablet, a mobile device, an HMI, an edge device, another OT device, an OT control system, a PLC, or some combination thereof.

During operation, the OT device may receive new policies, updates to existing policies, instructions to update policies stored in memory, or instructions to update the statuses (e.g., active, backup, etc.) of policies stored in memory. These may be received via a user interface of the OT device 308, or from some other device on the OT network. In response, the OT device 308 may add new policies 500 to memory 106, remove policies 500 from memory 106, update policies 500 stored in memory 106 move policies 500 to new locations within the memory 106, update tags, labels, flags, and so forth associated with the policies 500 to indicate their respective statuses, and so forth.

Though FIG. 6 shows OT devices having the policy undo capability, it should be understood that embodiments are envisaged in which OT control systems, edge devices, computing devices, containers, tablets, mobile devices, human-machine interfaces, etc. have the policy undo capability. Accordingly, the embodiment shown in FIG. 6 is not intended to be limiting.

FIG. 7 is a flow chart of a process 600 for policy undo in OT systems. At block 602, the process begins enforcing one or more active policies stored in memory. The active policies define settings, guidelines, and/or rules that define various aspects of how OT devices are to be configured and operate. Accordingly, the OT device may reference the active policies at decision points determine how to respond to events that occur. Active policies may govern, for example access and use of an organization's OT assets (e.g., industrial automation devices associated with OT machines). Enforcing the active policy may include, for example, receiving data indicative of an event and taking an action in response to the event. The event may be anything that may trigger a response from the OT device. For example, the event may include a request for access, a request for data, instructions to change configurations or settings, a request to install software, a request to establish a connection, and so forth. The process 600 may then identify an action to take in response to the event based on the one or more active policies being enforced. For example, the process 600 may receive and process the received data and then reference the active policies to determine what action, if any, should be taken. For example, if the event is a request for access to the OT device, the process 600 may determine whether the active policies authorize access to the requesting device and then allow or deny access based upon the active policies. In some embodiments, the identified action may be to take no action. The process 600 may then perform the identified action as part of enforcing the active policy.

At block 604, the process 600 receives a command to revert to a backup policy. In one embodiment, the OT device may include a policy undo switch which may be a hardware (e.g., mechanical switch, push button, etc.) switch on the device itself, or may be part of a user interface (e.g., display screen) of the device. In other embodiments, the command may be received from another device on the OT network, such as a computing device, a tablet, a mobile device, an HMI, an edge device, another OT device, an OT control system, a PLC, etc. If the command is received via the OT network, the command may or may not include a file that includes the backup policy to be implemented. In some embodiments, the command may be a lightweight command that merely identifies, references, or otherwise points to a backup policy already stored in memory to be implemented. In some embodiments, the command may be automatically generated, by the OT device, or some other device, based on a detected event or some monitored parameter crossing a threshold value or crossing outside of some acceptable range.

At block 606, the process 600 retrieves the backup policy from memory. In some embodiments, even if the backup policy is received via a command transmitted through the OT network, the backup policy is stored in memory and retrieved from memory before implementation. In some embodiments, the process 600 may update the active policy to indicate that it is no longer active, update the backup policy to indicate that it is now active. Updating the policies may include updating storage locations (e.g., different partition or different memory all together), tags, labels, flags, and so forth associated with the policies to indicate their respective statuses. Further, retrieving policies, updating policies, and implementing policies may be done via a processor, a compute surface, a container, another device on the OT network, such as a computing device, a tablet, a mobile device, an HMI, an edge device, another OT device, an OT control system, a PLC, or some combination thereof.

At block 608, the process 600 enforces the backup policy. This may include, for example, receiving data indicative of an event and taking an action in response to the event. The process 600 may then identify an action to take in response to the event based on the backup policy being enforced. For example, the process 600 may receive and process the received data and then reference the backup policy to determine what action, if any, should be taken. For example, if the event is a request for access to the OT device, the process 600 may determine whether the backup policy authorizes access to the requesting device and then allow or deny access based upon the backup policy. In some embodiments, the identified action may be to take no action. The process 600 may then perform the identified action as part of enforcing the backup policy. The process 600 may continue enforcing the backup policy until instructions are received to enforce a different policy, add new policies to memory, remove policies from memory, update policies stored in memory move policies to new locations within the memory, update tags, labels, flags, and so forth associated with the policies to indicate their respective statuses, and so forth.

The present disclosure is directed to OT devices having a policy undo capability that quickly and easily reverts an OT device to a policy associated with a previous known stable state. Specifically, a system may store an active policy and a backup policy in memory. The backup policy may be a policy associated with a last known stable state of the OT device and/or OT system. If an administrator determines that the active policy is not working as intended or has unanticipated side effects, the administrator provides a command to revert to the backup policy. In some embodiments, the command may be provided via a physical input device, such as a push button, or via a user interface of the OT device itself. The command may cause the OT device to retrieve the backup policy from memory and implement the backup policy. In other embodiments, the command may be provided via some other device on the OT network, such as a mobile device, a work station, a tablet, a human-machine interface (HMI), etc. In such embodiments, instructions may be transmitted to the OT device over the OT network to implement the backup policy. In some embodiments, the instructions transmitted over the OT network may include the backup policy, whereas in other embodiments, the instructions may reference a backup policy that is already stored in memory of the OT device, such that the instructions are smaller in size and can be more quickly and efficiently transmitted via the OT network. Providing customers with a policy undo capability may

Technical effects of using the present techniques include reduced downtime and/or outages due to policies not working as intended or having unanticipated side effects. Further, the policy undo capability gives administrators peace of mind to update policies frequently without fear of causing excessive downtime, knowing OT devices can be reverted back to backup policies associated with last known stable states if the updated policies cause problems.

The specific embodiments described above have been shown by way of example, and it should be understood that these embodiments may be susceptible to various modifications and alternative forms. It should be further understood that the claims are not intended to be limited to the particular forms disclosed, but rather to cover all modifications, equivalents, and alternatives falling within the spirit and scope of this disclosure.

The techniques presented and claimed herein are referenced and applied to material objects and concrete examples of a practical nature that demonstrably improve the present technical field and, as such, are not abstract, intangible or purely theoretical. Further, if any claims appended to the end of this specification contain one or more elements designated as “means for [perform]ing [a function] . . . ” or “step for [perform]ing [a function] . . . ”, it is intended that such elements are to be interpreted under 35 U.S.C. 112(f). However, for any claims containing elements designated in any other manner, it is intended that such elements are not to be interpreted under 35 U.S.C. 112(f).

Claims

1. An operational technology (OT) device, comprising:

a processor; and

a memory, accessible by the processor, the memory storing: a first policy comprising a first set of settings associated with the operation of the OT device; a second policy comprising a second set of settings associated with the operation of the OT device; and instructions that, when executed by the processor, cause the processor to perform operations comprising: receiving first data associated with a first event; identifying a first action in response to the first event based on the first policy; performing the identified first action; receiving a command to enforce the second policy and stop enforcing the first policy; receiving second data associated with a second event; identifying a second action in response to the second event based on the second policy; and performing the identified second action.

2. The OT device of claim 1, wherein the command to enforce the second policy and stop enforcing the first policy is received from another device via an OT network.

3. The OT device of claim 2, wherein the command is received with a file that includes the second policy.

4. The OT device of claim 2, wherein the command identifies the second policy stored in memory.

5. The OT device of claim 1, wherein the command to enforce the second policy and stop enforcing the first policy is received via a user interface of the OT device.

6. The OT device of claim 1, wherein the first policy comprises an active policy, and wherein the second policy comprises a backup policy.

7. The OT device of claim 1, wherein the operations comprise:

receiving an input indicative of a modification to the first policy; and

updating the first policy stored in memory to implement the modification.

8. The OT device of claim 1, wherein the memory stores a third policy comprising a third set of settings associated with the operation of the OT device, wherein identifying the first action in response to the first event is based on the first policy and the third policy.

9. An operational technology (OT) device, comprising:

a user interface element that, when actuated, generates a command to enforce a second policy and stop enforcing a first policy;

a processor; and

a memory, accessible by the processor, the memory storing: the first policy, wherein the first policy comprises a first set of settings associated with the operation of the OT device; the second policy, wherein the second policy comprises a second set of settings associated with the operation of the OT device; and instructions that, when executed by the processor, cause the processor to perform operations comprising: receiving first data associated with a first event; identifying a first action in response to the first event based on the first policy; performing the identified first action; receiving, via the user interface element, the command to enforce the second policy and stop enforcing the first policy; receiving second data associated with a second event; identifying a second action in response to the second event based on the second policy; and performing the identified second action.

10. The OT device of claim 9, wherein the first and second event comprise a request for data, a request for access, a request to install software, or a request to establish a connection, or any combination thereof.

11. The OT device of claim 9, wherein the instructions, when executed by the processor, cause the processor to perform the operations comprising:

receiving, from another device via an OT network, a third policy comprising a third set of settings associated with the operation of the OT device, and an indication that third policy is to be enforced instead of the first policy; and

storing the third policy in the memory.

12. The OT device of claim 11, wherein the instructions, when executed by the processor, cause the processor to perform the operations comprising:

receiving third data associated with a third event;

identifying a third action in response to the third event based on the third policy; and

performing the identified third action.

13. The OT device of claim 11, wherein the instructions, when executed by the processor, cause the processor to perform the operations comprising receiving, from the other device on the OT network, instructions to make the third policy an active policy, make the first policy a backup policy, and remove the second policy from the memory.

14. The OT device of claim 13, wherein the instructions, when executed by the processor, cause the processor to perform the operations comprising:

generating, in the memory, a first indication that the third policy is the active policy;

generating, in the memory, a second indication that the first policy is the backup policy; and

removing the second policy from the memory.

15. A method, comprising:

enforcing a first policy comprising a first set of settings associated with operation of an OT device;

receiving a command to stop enforcing the first policy and to enforce a second policy comprising a second set of settings associated with the operation of the OT device;

retrieving the second policy from memory; and

enforcing the second policy.

16. The method of claim 15, wherein enforcing the first policy comprises:

receiving first data associated with a first event;

identifying a first action in response to the first event based on the first policy; and

performing the identified first action.

17. The method of claim 16, wherein enforcing the second policy comprises:

receiving second data associated with a second event;

identifying a second action in response to the second event based on the second policy; and

performing the identified second action.

18. The method of claim 17, wherein the first and second event comprise a request for data, a request for access, a request to install software, or a request to establish a connection, or any combination thereof.

19. The method of claim 15, wherein the first policy comprises an active policy, and wherein the second policy comprises a backup policy.

20. The method of claim 15, wherein the command to enforce the second policy and stop enforcing the first policy is received from another device via an OT network.